Tag Archives: security

Privacy and Security on the Internet

On Monday, April 1, 2017, Congress passed and President Trump signed a bill to repeal rules that require ISPs to get your permission before selling information about your online habits. You can read more about it at USA Today or Ars Technica.

As soon as it was publicized, we received inquiries from Ayrstone customers about how they can protect themselves. Unfortunately, we really don’t have much we can offer. There is a lot of talk about Virtual Private Networks (VPNs), and some about the Tor Project, but neither is a very satisfactory solution.

VPNs securely route all your Internet traffic to the vendor’s routers, and then sends that traffic to the Internet. This will prevent your ISP from seeing your Internet habits (because, from their perspective, all your traffic is going to the VPN vendor), but clever spies can untangle your traffic from the VPN’s stream, and there is a danger that the VPN will simply collect your information and sell it.*

The Tor project is the result of a U.S. Navy project (paradoxically, while the government spends your money to reduce your privacy, they also have spent money to improve your privacy…). It is voluntary network of computers – you download their software, and all your traffic is routed through a seemingly random collection of computers around the globe before appearing again on the Internet from a random location. This is much more secure, but there are cases where agencies have re-assembled data from the Tor network.

Either VPNs or Tor will slow down your network, and neither offers perfect privacy. Various ISPs have vowed not to sell your internet usage data, and several states have started investigating passing local laws to protect privacy.

Add to this, unfortunately, that your ISP is far from the only source of information about your Internet usage. Google, Microsoft, Apple, and many, many others gather LOTS of information about your usage, and they use it to target advertising to you.

So there are three things you can do: first, use VPN or Tor software to increase your privacy, second, talk to your lawmakers about re-instating (and, preferably, increasing the scope of) the regulations around privacy, and, third, follow the advice of my old boss, Scott McNealy.


*There is another use of VPN – to connect a remote network to your LAN – and many of our customers use this kind of a VPN. In this case, you have a VPN router on your network, and you connect using VPN software or another VPN router to a remote network, such as (for example) a remote location where you have a different Internet “drop” from your home. In this use of a VPN, devices at that remote location get IP addresses and appear on the network as if they were in your home network, even though their traffic is routed out through a different Internet connection. This means you can be in the remote location and send a job to your printer at home, and it will be printed and ready when you get home, or you can access files on your home PC when you’re away. This does not help your privacy, except against information theft on public Internet connections, but it can make remote working more convenient.

Quick link to video interview

Aaron Ault, who is the team lead for the Open Agriculture Data Alliance, was interviewed by Precision Farming Dealer. I think that data privacy and ownership is an extremely important issue (one of the benefits of the AyrMesh system is keeping data on the farm), and I though this was a terrific interview.

The video runs just under 6 minutes, and you can see it here: https://www.precisionfarmingdealer.com/articles/2650-deu

Security and the IoT

As you know, I think that the “Internet of Things” (IoT) has enormous potential for the farm. But we have all been recently reminded of the problems we are facing as BILLIONS of new devices come on to the Internet – Friday October 21, the IoT literally broke the Internet.

This event has been called the “Mirai botnet attack.” This is an extremely important event, because it used IoT devices to effectively bring the Internet to a stop for several hours on Friday, October 21. Even Ayrstone was affected: we use Zendesk for our customer support portal, and it was unavailable off and on on Friday.

This attack was innovative in two ways: first, it did not attack the affected sites directly, but rather attacked the Domain Name Servers (DNS, the servers that turn domain names like ayrstone.com into IP addresses like 104.24.21.15) of Dyn.com, making a huge number of websites, including Zendesk, Twitter, and others unreachable, even though they were working just fine.

But the most important innovation was the way the attack was done – using a Distributed Denial of Service (DDoS) attack from IoT devices. DDoS attacks work by sending a huge amount of data to a server from a large number of devices on the Internet, overwhelming the server and causing it to fail. Up until now, the “botnets,” as the devices sending the data are known, have mostly been personal computers infected with viruses that allow a remote user to control them and cause them to send out streams of data to the target server.

As I mentioned, however, this attack was different, because it used IoT devices – IP cameras, routers, wireless networking devices, and other little devices that people don’t see as being “computers.” But your router or IP camera has a lot more computing power than the powerful desktop computer you had just a few years ago.

Hackers were able to access these devices and install “botnet” software on them because – and this is THE IMPORTANT THING – the passwords were NEVER CHANGED from the defaults. For instance, many devices come with a default username of “admin” and a default password of “admin” or “password.” If those are not changed and they are exposed to the Internet, they are an open invitation to hackers.

Now, most of the devices on your network are NOT currently exposed to the Internet – they are safely hidden from the Internet by your router’s NAT firewall. But it is still important to change the default password on devices, and, if you have “port-forwarded” to any devices to make it accessible via the Internet, it is DOUBLY important to make sure it has a STRONG password to protect it.

Ayrstone products, of course, are protected because the username and password for each device is set from AyrMesh.com. The only way an AyrMesh device can have the default username and password is if you don’t have an AyrMesh.com account, and we regularly disable devices that are not checking into an active account. However, even at that, AyrMesh devices should always be used behind a router’s firewall and not exposed to the Internet.

These devices are incredibly useful when used properly, but you have to take some minimal precautions to keep them safe. More information about the Mirai botnet attack and security of IoT devices can be found in this article and elsewhere.

This attack is a good reminder of three things:

  1. Make sure you always use good passwords (long, not a quotation or word) on ALL devices and keep those passwords secret,
  2. Don’t expose devices to the Internet unless you have to, and
  3. Purchase networking/IoT products from reliable vendors who can update the firmware to close vulnerabilities, preferably automatically and over the network. If not, make they make new firmware available to close holes as they are discovered, and install it regularly.

AyrMesh devices have firmware that is updated over the network. We issue several updates per year, and you needn’t do a thing – they happen automatically.

If you have any questions, of course, just let us know – support@ayrstone.com.

 

IP Cameras on the Farm: Part 3 – Using IP cameras for security

QNAP NVR, courtesy of QNAP

Now you know how to select an IP Camera, set it up on your farm, and view it from wherever you are, on or off the farm, which may give you a greater sense of security by itself.

However, you can’t watch what’s going on 24×7, and, with most cameras, you can’t go back and see what happened a couple of minutes ago (or last week). If you want to incorporate cameras as part of a security system (which may also include things like driveway sensors, indoor motion sensors, window/door open sensors, and other devices), then you should, at a minimum have some sort of recording, and probably some sort of motion detection on the cameras. What I have found to be best is some sort of system that is continuously monitoring the cameras, and, when motion is detected, it records the previous several seconds of video and keeps recording until after the motion stops. That way, I find, I get a nice, clear video of the mailman coming up to the box every single day (and, if I choose, a text and/or email with a picture of the mailman within a few seconds of his arrival).

But, seriously, if you are having trouble with intruders (people breaking into your storage sheds or stealing Anhydrous), getting notification and pictures of them is a good idea. For that, you need a Network Video Recorder (NVR). An NVR is a device that plugs into your network and monitors your IP cameras, allowing you to view several cameras at once and go back to see what happened at a particular time. Most modern NVR systems also have motion detection and multiple alarm functions (including email and tripping a relay to set off an alarm).

Swann DVR with cameras, courtesy of Swann

An NVR is different from a Digital Video Recorder (DVR), although both can be useful tools for farm security. A DVR typically has a number of coaxial inputs for cameras, so you can attach 4, 8, or 16 cameras to the unit using coaxial cable and it will continuously record the video from those cameras. Most modern DVRs also have an Ethernet port so you can connect them to your network and monitor the cameras from wherever you are. A DVR can be very useful anywhere you want several cameras in a single physical location, like your home, workshop, or storage shed, where you don’t mind stringing wires. Most newer DVRs can also detect motion send you an email or other form of alarm when they do.

Foscam indoor camera with storage – the little microSD slot under the antenna – courtesy of Foscam

Some newer IP cameras even have the NVR capability built-in, usually via an SD card slot. They store either still images or video to the SD card continuously so you can just “back up” while you’re viewing the cameras.

Almost all IP cameras have some form of motion detection, but many of them are effectively useless. There are three types of motion detection:

  1. Overall picture motion detection – this just looks for the number of pixels changing in the frame and alerts if that number rises above a certain level. Unfortunately, this is almost entirely useless, because, if the sensitivity is high, it will “alarm” every time the lighting changes slightly, and if the sensitivity is set too low, it won’t alarm at all.
  2. Setting a “zone” so the camera will alarm when the door is opened – courtesy of networkwebcams.com

    “Zoning” motion detection – this allows you to put rectangles into the camera’s frame and only alarm if there are changes inside those rectangles. This works better, but you still get a lot of “false alarms.”

    Object detection, courtesy of Sitehound

  3. Object detection – this is an algorithm that can pick out moving objects in the video stream and distinguish them from changes in the background. This means that you only get an alarm when something moves, and you can set the size of the object that will set an alarm so you don’t get called every time a gnat flies by.

Most inexpensive cameras use the first type of motion detection, which means the on-camera detection is worthless. Almost all other cameras use the second type of detection, which is not useless but still not great. Some high-end cameras can do object detection, but they’re pretty expensive.

The better idea is to have your NVR software do the detection and alarming, rather than the camera. There are two ways to do this: using a dedicated NVR (a small computer running embedded NVR software) or running an NVR program on a desktop computer that’s on 24×7. There are advantages to either approach.

Using a dedicated NVR is simple: you set it up, add the cameras to it through the onboard user interface, and forward a port to it on your router so you can access it while you’re away. QNAP is a vendor that makes a large range of standalone NVRs that are compatible with a wide variety of cameras. In all honesty, I have never been able to evaluate one, but customers have reported good results with them. Synology has developed a pretty good reputations, also – both brands are generally available on Amazon.

The downside to the dedicated NVR is that only some cameras are supported (although the brands mentioned above support a huge number of brands) and that it is difficult to evaluate the software to tell how well it will work for you. The vendors don’t really provide much detail about how they detect motion, what options are available, and what the units can do.

Ubiquiti Cameras and NVR, courtesy of Ubiquiti Networks

Some camera vendors like VivotekGeoVision, and Ubiquiti sell both cameras and NVRs to work with their cameras in an integrated package. Going that way makes it easier to know your cameras will work the the NVR, but more difficult to evaluate whether you have the right cameras and NVR for your operation.

The other option for an NVR is to use an NVR program on a computer that’s running all the time. There are several of these programs, but the two most popular are BlueIris and SightHound.  BlueIris is less expensive and runs on any Windows PC; SightHound is more expensive, but has a number of important advantages:

  1. It runs on either Windows or Mac computers;
  2. it is very easy to install, configure, and use; and
  3. it features an advanced object-detection motion detection.

I’m an unabashed fan of SightHound – I have written about it before on this blog – although I have used BlueIris and it is also very good. I also like the Ubiquiti system (Note: Ubiquiti builds the hardware for the AyrMesh system), although I find their software to be a bit too complex for most users. It also integrates with their mFi sensors and switches for security and automation.

Dropcam – courtesy of Dropcam

There is actually a third option – a camera that automatically loads its video to a “cloud-based” NVR. Dropcam is a system that uses nice, small, relatively inexpensive indoor cameras, which automatically send their video stream to their cloud servers, without the need for port-forwarding. I have also written about Dropcam before on this blog. The big advantages with Dropcam is that they are VERY easy to set up and use, and the company is now part of Nest (maker of the Nest thermostat), which is part of Google – they have the resources to keep this going and expand those products to do a lot more in the future. The disadvantages are:

  1. They currently only make indoor cameras; there is no outdoor option, and the cameras are not designed for outdoor temperatures.
  2. They charge on a per-camera basis for the recording function. They charge $10 per month/ $99 per year for the first camera and $5 per month/ $50 per year for each additional camera (that’s for 7 days of recording; they charges for 30 days of recording are 3x higher)
  3. There is no way to directly view the camera – the only way to view it is through the Dropcam website. This is not a big problem practically, but it does bug me a little. Even without a subscription, you can view the camera through their website and get notices when motion is detected, which is nice.

Whatever cameras and NVRs you choose, you’ll need to connect the cameras to the network, connect the NVR to the network, and make sure the NVR is “talking” to the cameras. You can then port-forward to the NVR (remember about this from the router series?) in order to access it from the Internet; that way you don’t have to port-forward to each of the individual cameras. You’ll need to fine-tune the sensitivity of each camera in order to get appropriate “alarms” for movement. You’ll also need to set the alarms up so they contact you appropriately. Setting up an email alarm is relatively easy, and all the cellular phone providers give you an email address that goes through as an SMS text message – for instance, on Verizon, if the phone number is 555-123-4567, you can email “5551234567@vtext.com.” That way you can get a text message on your phone whenever motion is detected.

So, now you have cameras set up in the critical parts of your farm, which you can view through your NVR, and you are set up to get alerts any time something moves in the field of view of those cameras. All of this, of course, is made possible because of your AyrMesh Network, covering your farm with powerful IP connectivity.

And there’s still a lot more you can do with the network… stay tuned!

IP Cameras on the farm: Part 2 – different kinds of cameras

Sorry to use this picture again…

There are a wide variety of IP (network) cameras available, ranging from the very inexpensive to the very good. That’s not to suggest that inexpensive cameras are not useful; it just means that you want to know which camera to use where.

If you just want to be able to see what’s happening on part of your farm, a cheap 640×480 (VGA size) camera will do a nice job. You can bring it up on your phone or tablet from anywhere on the farm, or port-forward to it to see what’s going on when you’re away. These cameras can be VERY inexpensive – from about $35 on Ebay – and they can work well for some applications; some are very small for indoor use, and some are built for outdoor use. The build quality on the very inexpensive ones is generally not great: one very inexpensive outdoor camera I purchased had the IC board held in place inside the housing with dabs of hot glue. That said, I still have it and it still works.

One thing to be aware of is that some inexpensive IP cameras require Internet Explorer to view the image on the camera. While this works with your laptop, it may keep you from seeing the camera on your phone or tablet (or they may offer a reduced-quality video stream for your phone or tablet), and it may prevent the camera from being integrated with a Network Video Recorder into an overall security system. If Internet Explorer is one of the requirements for the camera, I generally recommend against its use.

There are three major factors contributing to the quality of an IP camera:

Camera sensor chip

1.) Image sensor – the size (1/4”, 1/3”, or larger) of the sensor and its resolution (640×480, 1024×720, 1280×960 or 1280×1024) – in general, the larger the better.

Camera lens

2.) Optics – good optics make a big difference. A full-HD (1280×1024) camera with a crummy lens is less useful than a VGA (640×480) camera with a sharp lens. Unfortunately, it is impossible to evaluate the quality of a lens from the specifications of the camera – the price of the camera is a reasonable, but not entirely reliable, proxy. Some cameras offer different “sizes” of lens – for instance, a 3.6 or even 2.8 mm wide-angle lens or a 6 or 8 mm telephoto lens. Obviously, what you are watching will determine what kind of lens you need.

Firmware

3.) Firmware – the software running on the camera itself determines how easy it is to use and the features available. For instance, inexpensive cameras may offer MJPEG video streams and motion detection based on the entire scene the camera is surveying, while better cameras will offer h.264 streaming (which uses less bandwidth and better framerates – frames of video per second), and the ability to detect motion in specific zones of the camera’s picture.

The internal electronics and build quality of the camera make a difference, of course, but that is generally only an issue with the lowest-cost cameras – my own experience is that any name-brand camera costing more than $100 has adequate hardware and good build quality.

Here are three examples of IP cameras that I have purchased and evaluated, with specific comments on each.

Cheap Ebay Camera

View through the cheap camera

1.) No-name $35 Outdoor WiFi Camera from Ebay (China). This little camera is actually one of my favorites. It has an adequate lens, a good, strong case, 640×480 resolution, and uses MJPEG for video. It sends about 4-5 frames per second, which is adequate for most purposes. It also has infrared (IR) LEDs in front for nighttime illumination. The biggest advantage this camera brings is that I can use it as a “scout” camera to see if I want to put a better camera in a particular place, and, if it gets kicked or dropped or destroyed, I won’t cry over it – I typically buy then 3 or 4 at a time and, if they have problems, I just throw them away.

 

Agasio camera

View through Agasio Camera

2.) Agasio outdoor WiFi Camera. The specs on this camera are identical to the “no-name” camera above (WiFi, 640×480, MJPEG), but with more IR LEDs for better nighttime performance and a mechanical IR filter for better color in low light conditions. I am not actually sure the IR filter is that useful (and Foscam sells an identical camera without the IR filter), because it can fail in cold weather and make the picture look very odd as the filter clicks continuously in and out). I consider this (and the similar Foscam camera) the “workhorse” – it’s inexpensive and it works well, and Agasio/Foscam (they’re the same company) has an office in Houston you can call if you have trouble. I use these at my house to keep an eye on the yard, but I don’t use the motion detection capabilities because it’s very difficult to use effectively: if you turn the sensitivity down, you won’t capture motion when it happens, but, if you turn it up, you’ll be getting alarms every sunrise, sundown, and every time a cloud crosses the sun.

Axis indoor camera

View from Axis camera

3.) Axis indoor WiFi camera M1031-W. Axis is generally acknowledged to be the highest-quality IP camera vendor, and appropriately priced. This is their lowest-cost unit, but it clearly shows the difference between their quality standards and those of the lower-cost cameras. Even though this camera has only a 640×480 sensor and a tiny lens, the picture is excellent and the firmware is very easy to use yet feature-filled. It offers several different kinds of streaming (MJPEG, h.264) and the ability to detect motion in “zones” you can select with a little Java applet on the camera. I use these cameras to protect my house, although I do get false alarms from it.

That’s a quick overview of the “cheap and the good” of the IP camera world. If you are just looking to have a camera on your farm that will allow you to see some critical item when you need to, I generally recommend one of the Foscam WiFi or Ethernet cameras. For more critical tasks, such as keeping an eye on a foaling mare, I generally recommend an appropriate Axis camera.

Outdoor Point-Tilt-Zoom (PTZ) camera

One handy thing you can do is have a camera way up on a pole or tower that you can swivel around and zoom in in any part of the farm. The Axis outdoor Point-Tilt-Zoom cameras can give you an amazing view of your property, but you’ll need to connect them to your network with an Ethernet cable (or an AyrMesh Hub, Receiver, or Bridge), because they don’t have WiFi. You’ll also need to mount them to something secure, because movement in the camera will make the quality of the picture moot.

Next, we’ll look at putting together a system of cameras for home and farm security, including cameras and Network Video Recorders – see part 3 here.

IP Cameras on the Farm: Part 1

Many people start building an AyrMesh network on their property to provide Internet access across their acreage. However, having an Internet Protocol (IP) network across your property gives you the opportunity to connect devices on the property to help you be more productive, more efficient, safer, and happier.

When I ask people what else they’d like to do with their AyrMesh Network, the first thing that usually comes up is cameras – the ability to see their property remotely.

There are two distinct reasons for putting cameras on your property: the first is what I call “situational awareness” – being able to bring up a view of some part of your farm any time you want. The second is for security – automatically monitoring some view of your property and alerting you when something happens.

If you have animals on the farm, you probably worry about them – especially if your livelihood is tied up in them. One of the most common uses for cameras on the farm is to be able to check on the animals, whether it’s just so the kids can see the horses when you’re away or if you need to check on farrowing sows, calving cows, or foaling mares to protect your investment.

A lot of people also just want to be able to view some part of the property, like the driveway or the kid’s play area, so they can know what’s going on any time. Sometimes these cameras may be dual-purpose, serving both a security function and for situational awareness.

Putting a camera on your property gives you a “view” – you get the IP address of the camera from your router and you can bring up that view from anywhere on your property. Then you can do what’s called a “port forward” on your router to make your camera viewable from the Internet, wherever you may be. For instance, I always forward port 9001 to a camera in my living room. I can look at my public IP address on AyrMesh.com and find that it’s 99.100.101.102 (it’s not, but let’s pretend…), so I just need to point a browser to http://99.100.101.102:9001 and log into my camera (note: you HAVE to have a good, strong password on your camera).

Next we’ll talk a little about the different kinds of IP cameras and the tradeoffs and compromises you can make – see part 2 here.

Farm Security with SightHound

“Farm security” used to be synonymous with “watchdog” or maybe “shotgun,” but farms have gotten a whole lot bigger than even a big dog or a light sleeper can protect. And farm equipment and inventory haven’t gotten any cheaper to replace.

For that reason, I have long been a proponent of using cameras for both farm operations (e.g. being able to see what’s going on in a livestock barn while you’re in bed) and farm security.

For operational use, IP cameras are easy (as long as you have a network). Just hook up a camera, find its IP address on your router, and use a phone, tablet, or computer to take a look any time you want. If you want to see it when you’re off your network, port-forward to the camera from your router.

For security use, however, you want to watch it all the time. Staying up all night staring at the computer screen is not really practical, but there are some good alternatives. My favorite one is a program called “Sighthound.” It runs on your Windows PC or Mac, it’s reasonably priced ($250 as I’m writing this), As long as you have a machine that’s on 24×7 (like my desktop machine), it’s a great solution.

Sitehound has a number of attractive attributes:

  • Runs on either Windows or Mac
  • Works with a very broad variety of cameras
  • Very easy to set up and use
  • Object-based motion tracking instead of just motion detection

That last point deserves some explanation – simple motion detection (like the built-in detection on inexpensive IP cameras) just looks for pixels to change from frame to frame, and they “alarm” if a certain percentage of the pixels in the picture change. The problem is that a lot of the pixels change any time the lighting changes (sunup, sundown, sun going behind the clouds, etc.) so you get a lot of false alarms. Better systems allow you to specify “zones” for motion detection, so you are only considering the part of the picture you are actually concerned with. This reduces, but does not eliminate these “false positives.” But Sighthound uses a much more accurate (albeit processor-intensive) method to identify and track moving objects in the picture. In the picture here, Sighthound is tracking the dog walking through the living room – you can see the dog in the yellow box near the bottom of the screen. This video was recorded automatically from the moment the dog moved until she went out of sight. However, even on a day when clouds are crossing the sun and the light coming through the window is almost constantly changing, it doesn’t record unless the dog (or something else) moves.

Sighthound has a number of really nice features, including a built-in webserver which allows you to view it from another computer, tablet, or smartphone. You can port-forward to your computer and access Sighthound from anywhere on the Internet.

Sighthound is, of course, no better than the cameras and computer you are using – if they are poorly set up, unreliable, or have poor connections to the network, Sighthound will fail to work properly. But, if your computer, network, and cameras are reliable, Sighthound can provide outstanding monitoring and alerting for your farm or ranch.